Hackers exploit a zero-day privilege escalation vulnerability in the ‘Ultimate Member’ WordPress plugin to compromise websites by bypassing security measures and registering rogue administrator accounts.
Ultimate Member is a user profile and membership plugin that facilitates sign-ups and building communities on WordPress sites, and it currently has over 200,000 active installations.
The exploited flaw, tracked as CVE-2023-3460, and having a CVSS v3.1 score of 9.8 (“critical”), impacts all versions of the Ultimate Member plugin, including its latest version, v2.6.6.
While the developers initially attempted to fix the flaw in versions 2.6.3, 2.6.4, 2.6.5, and 2.6.6, there are still ways to exploit the flaw. The developers have said they are continuing to work on resolving the remaining issue and hope to release a new update soon.
“We are working on the fixes related to this vulnerability since 2.6.3 version when we get a report from one of our customer,” posted one of the Ultimate Member developers.
“Versions 2.6.4, 2.6.5, 2.6.6 partially close this vulnerability but we are still working together with WPScan team for getting the best result. We also get their report with all necessary details.”
“All previous versions are vulnerable so we highly recommend to upgrade your websites to 2.6.6 and keep updates in the future for getting the recent security and feature enhancements.”
Attacks exploiting CVE-2023-3460
The attacks exploiting this zero-day were discovered by website security specialists at Wordfence, who warn that threat actors exploit it by using the plugin’s registration forms to set arbitrary user meta values on their accounts.
More specifically, attackers set the “wp_capabilities” user meta value to define their user role as administrators, granting them complete access to the vulnerable site.
The plugin has a blocklist for keys that users shouldn’t be possible to upgrade; however, bypassing this protection measure is trivial, says Wordfence.
WordPress sites hacked using CVE-2023-3460 in these attacks will show the following indicators:
- Appearance of new administrator accounts on the website
- Usage of the usernames wpenginer, wpadmins, wpengine_backup, se_brutal, segs_brutal
- Log records showing that IPs known to be malicious accessed the Ultimate Member registration page
- Log records showing access from 146.70.189.245, 103.187.5.128, 103.30.11.160, 103.30.11.146, and 172.70.147.176
- Appearance of a user account with an email address associated to “exelica.com”
- Installation of new WordPress plugins and themes on the site
I enjoy what you guys are usually up too. Such clever work and reporting!
Keep up the fantastic works guys I’ve incorporated you guys to my blogroll.
My blog post – how to get more instagram followers (wwd.com)
It’s awesome designed for me to have a web page, which is helpful in favor of
my know-how. thanks admin
My blog – gold ira
teva generic cialis
tadalafil research
is tadalafil as effective as cialis
crestor pharmacy card
viagra uk pharmacy online
viagra buy in australia
sildenafil 20 mg brand name
cipla tadalafil
best prices for cialis 20mg
pharmacie
sildenafil 58
cialis purchase in kuwait
cialis onine
cialis coupons
where can i get cialis
viagra for sale online uk
sildenafil 25 mg
tadalafil tablets 40mg
cialis patient assistance
teva cialis
how much does cialis cost without insurance
sulfamethoxazole tmp ds used for
flagyl glob
lZyOfYik